-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1645-1 security@xxxxxxxxxx http://www.debian.org/security/ Steve Kemp October 06, 2008 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : lighttpd Vulnerability : various Problem type : remote Debian-specific: No CVE Id(s) : CVE-2008-4298 CVE-2008-4359 CVE-2008-4360 Several local/remote vulnerabilities have been discovered in lighttpd, a fast webserver with minimal memory footprint. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-4298 A memory leak in the http_request_parse function could be used by remote attackers to cause lighttpd to consume memory, and cause a denial of service attack. CVE-2008-4359 Inconsistent handling of URL patterns could lead to the disclosure of resources a server administrator did not anticipate when using rewritten URLs. CVE-2008-4360 Upon file systems which don't handle case-insensitive paths differently it might be possible that unanticipated resources could be made available by mod_userdir. For the stable distribution (etch), these problems have been fixed in version 1.4.13-4etch11. For the unstable distribution (sid), these problems will be fixed shortly. We recommend that you upgrade your lighttpd package. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - ------------------------------- Source archives: http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch11.dsc Size/MD5 checksum: 1108 d747ed7b2063ad6696064bf821c50a00 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch11.diff.gz Size/MD5 checksum: 38244 c6de19903fcf9972a3db86af50c3dfb6 Architecture independent packages: http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-doc_1.4.13-4etch11_all.deb Size/MD5 checksum: 100436 4b00f0a8ec894c84f01e0924121ddc16 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch11_amd64.deb Size/MD5 checksum: 298530 b1ebecc6e7bf459f367d7cd697cfc826 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch11_amd64.deb Size/MD5 checksum: 70718 17ccecf27a1fd3889cafbcf99b438959 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch11_amd64.deb Size/MD5 checksum: 64420 7eeeab5dac95d1318f7c0ccafdc88db3 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch11_amd64.deb Size/MD5 checksum: 59536 8c6c8f79f475e1168e7c6034fab19e7e http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch11_amd64.deb Size/MD5 checksum: 61266 51b5201427b3ef3b14f1fd8346a2be69 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch11_amd64.deb Size/MD5 checksum: 64070 d2558ad437f37b51370649f61bd594fa arm architecture (ARM) http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch11_arm.deb Size/MD5 checksum: 70076 9e71864930a9b029faa7d06cb83ad368 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch11_arm.deb Size/MD5 checksum: 61170 bf9adc9694e8079789f74c1ef7f159d7 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch11_arm.deb Size/MD5 checksum: 63226 613c8ac801f2897c61e9ff0e2da39e64 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch11_arm.deb Size/MD5 checksum: 59046 939e326f979ffd4ec524a37398a9a668 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch11_arm.deb Size/MD5 checksum: 287252 373373dbe20c5073e93e8ecb2a7c293e http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch11_arm.deb Size/MD5 checksum: 63434 b653d9e0dfefb364724ea7495cd98c39 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch11_hppa.deb Size/MD5 checksum: 324728 73b5dd3a1eeeeffd0f0b0190ff0cdf95 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch11_hppa.deb Size/MD5 checksum: 65224 046f3680fb5ded22085042cf0643311e http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch11_hppa.deb Size/MD5 checksum: 65712 918e553fb47bc57c8047ec1858399bcc http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch11_hppa.deb Size/MD5 checksum: 60226 8fc494d0eba0ec181acd276967f3bf6a http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch11_hppa.deb Size/MD5 checksum: 72628 b7b7512883bec97a11b68da12f0b0447 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch11_hppa.deb Size/MD5 checksum: 62188 bcab41cca185b771d91bac5b2b9d0d47 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch11_i386.deb Size/MD5 checksum: 61070 f6ea45c9b9ed3bd7f0d981e19d71fdf1 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch11_i386.deb Size/MD5 checksum: 63808 3bb9c5035f9a1e06ba9cb7af51e99a65 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch11_i386.deb Size/MD5 checksum: 71108 6ae8d10751c07ae66bff8bed2e17f715 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch11_i386.deb Size/MD5 checksum: 289948 72af5544b50eb7b28f0824d49cc46bd9 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch11_i386.deb Size/MD5 checksum: 64002 5ac520a0beb4b0049813d172da8e3c8c http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch11_i386.deb Size/MD5 checksum: 59390 f66da44a91b9dc4c733dfcfc493647f1 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch11_ia64.deb Size/MD5 checksum: 67894 5097db8cd6a61d6d6129b6e9b5c436e1 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch11_ia64.deb Size/MD5 checksum: 67744 20093c425950cc552b02dc1849003c12 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch11_ia64.deb Size/MD5 checksum: 403884 59b49d630c89b528fe46ea909dfc945c http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch11_ia64.deb Size/MD5 checksum: 61546 85f2515fd4b1d9789c4a29607cdf3f68 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch11_ia64.deb Size/MD5 checksum: 77444 7a4bf21dc0c64f18fde8ba5e437a19f7 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch11_ia64.deb Size/MD5 checksum: 63420 1b0da59a7d8d819f0fcedea756337824 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch11_mips.deb Size/MD5 checksum: 63074 1b8f8b706976a7050ce692a44c3235c2 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch11_mips.deb Size/MD5 checksum: 69648 5431ee8bb1b51afb606698a483375e07 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch11_mips.deb Size/MD5 checksum: 296954 7f0e552d9f0e8a8db5f85667b3b2442a http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch11_mips.deb Size/MD5 checksum: 58994 9774b5ec6521ac3585faa319ce987965 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch11_mips.deb Size/MD5 checksum: 62948 91c0a914100ce9247f145828dace542c http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch11_mips.deb Size/MD5 checksum: 60368 ac07e4609a5447335749290dd65b67d7 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch11_powerpc.deb Size/MD5 checksum: 72168 331b11ad7120113ad3868ee6caea7379 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch11_powerpc.deb Size/MD5 checksum: 62838 f0cd5f92e92ce7cf29c1492906ad2369 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch11_powerpc.deb Size/MD5 checksum: 65786 fdeb6f0bba353cf7bfe5e32628984e41 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch11_powerpc.deb Size/MD5 checksum: 65510 68d7c6a4deb32000d34767ef58b64618 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch11_powerpc.deb Size/MD5 checksum: 324380 6cb824c5f80fe7f5268321528bfeb0a0 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch11_powerpc.deb Size/MD5 checksum: 61026 ea46e63147d354f3e3c3bbf924de34b8 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch11_s390.deb Size/MD5 checksum: 64998 332bc6cc8b74acc9785083f8c04486eb http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch11_s390.deb Size/MD5 checksum: 71752 eb3be87d9bf983f15b01369d4cfe7ece http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch11_s390.deb Size/MD5 checksum: 59956 8e7b812b20a7c81a324dcc001c385722 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch11_s390.deb Size/MD5 checksum: 307788 11159eae7ab16e5e1e7a7be479beba42 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch11_s390.deb Size/MD5 checksum: 61444 3d8689c48093b15ce1aa41a8e64c0415 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch11_s390.deb Size/MD5 checksum: 64606 6df415487e8b951fc8394328640760dd sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch11_sparc.deb Size/MD5 checksum: 59346 673f046f66e2580edd7b78492ff90b82 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch11_sparc.deb Size/MD5 checksum: 61050 7d2fdcc70e4ddd86d2f3a7a66ed6c1f5 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch11_sparc.deb Size/MD5 checksum: 64032 8a1e6bc3aa8bfb27588706d606966898 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch11_sparc.deb Size/MD5 checksum: 63992 a11081ea69387ca39029aa5fcc6dfe34 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch11_sparc.deb Size/MD5 checksum: 70442 936290009a438ea0827cc281ae320496 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch11_sparc.deb Size/MD5 checksum: 283902 464cd3874bbbd4727d179f8bdf4710fa These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFI6kriwM/Gs81MDZ0RArK/AJ42foKLAIkL/x9wizFoK/w1aTkV3QCeIcNs 0qPQ1pW14meXC4sRZPTGae8= =cyqs -----END PGP SIGNATURE-----
